cve-2021-47370
Vulnerability from cvelistv5
Published
2024-05-21 15:03
Modified
2024-11-04 11:39
Severity ?
Summary
mptcp: ensure tx skbs always have the MPTCP ext
Impacted products
Vendor Product Version
Linux Linux Version: 5.14.7   
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47370",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-21T18:22:09.218884Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:14:02.794Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:32:08.671Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f8ff625a8082db8c2b58dcb5229b27928943b94b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/977d293e23b48a1129830d7968605f61c4af71a0"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f8ff625a8082",
              "status": "affected",
              "version": "e35820fb5641",
              "versionType": "git"
            },
            {
              "lessThan": "977d293e23b4",
              "status": "affected",
              "version": "1094c6fe7280",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5.14.9",
              "status": "affected",
              "version": "5.14.7",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure tx skbs always have the MPTCP ext\n\nDue to signed/unsigned comparison, the expression:\n\n\tinfo-\u003esize_goal - skb-\u003elen \u003e 0\n\nevaluates to true when the size goal is smaller than the\nskb size. That results in lack of tx cache refill, so that\nthe skb allocated by the core TCP code lacks the required\nMPTCP skb extensions.\n\nDue to the above, syzbot is able to trigger the following WARN_ON():\n\nWARNING: CPU: 1 PID: 810 at net/mptcp/protocol.c:1366 mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366\nModules linked in:\nCPU: 1 PID: 810 Comm: syz-executor.4 Not tainted 5.14.0-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366\nCode: ff 4c 8b 74 24 50 48 8b 5c 24 58 e9 0f fb ff ff e8 13 44 8b f8 4c 89 e7 45 31 ed e8 98 57 2e fe e9 81 f4 ff ff e8 fe 43 8b f8 \u003c0f\u003e 0b 41 bd ea ff ff ff e9 6f f4 ff ff 4c 89 e7 e8 b9 8e d2 f8 e9\nRSP: 0018:ffffc9000531f6a0 EFLAGS: 00010216\nRAX: 000000000000697f RBX: 0000000000000000 RCX: ffffc90012107000\nRDX: 0000000000040000 RSI: ffffffff88eac9e2 RDI: 0000000000000003\nRBP: ffff888078b15780 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffffff88eac017 R11: 0000000000000000 R12: ffff88801de0a280\nR13: 0000000000006b58 R14: ffff888066278280 R15: ffff88803c2fe9c0\nFS:  00007fd9f866e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007faebcb2f718 CR3: 00000000267cb000 CR4: 00000000001506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n __mptcp_push_pending+0x1fb/0x6b0 net/mptcp/protocol.c:1547\n mptcp_release_cb+0xfe/0x210 net/mptcp/protocol.c:3003\n release_sock+0xb4/0x1b0 net/core/sock.c:3206\n sk_stream_wait_memory+0x604/0xed0 net/core/stream.c:145\n mptcp_sendmsg+0xc39/0x1bc0 net/mptcp/protocol.c:1749\n inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:643\n sock_sendmsg_nosec net/socket.c:704 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:724\n sock_write_iter+0x2a0/0x3e0 net/socket.c:1057\n call_write_iter include/linux/fs.h:2163 [inline]\n new_sync_write+0x40b/0x640 fs/read_write.c:507\n vfs_write+0x7cf/0xae0 fs/read_write.c:594\n ksys_write+0x1ee/0x250 fs/read_write.c:647\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x4665f9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd9f866e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665f9\nRDX: 00000000000e7b78 RSI: 0000000020000000 RDI: 0000000000000003\nRBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038\nR13: 0000000000a9fb1f R14: 00007fd9f866e300 R15: 0000000000022000\n\nFix the issue rewriting the relevant expression to avoid\nsign-related problems - note: size_goal is always \u003e= 0.\n\nAdditionally, ensure that the skb in the tx cache always carries\nthe relevant extension."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T11:39:54.140Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f8ff625a8082db8c2b58dcb5229b27928943b94b"
        },
        {
          "url": "https://git.kernel.org/stable/c/977d293e23b48a1129830d7968605f61c4af71a0"
        }
      ],
      "title": "mptcp: ensure tx skbs always have the MPTCP ext",
      "x_generator": {
        "engine": "bippy-c8e10e5f6187"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47370",
    "datePublished": "2024-05-21T15:03:35.810Z",
    "dateReserved": "2024-05-21T14:58:30.810Z",
    "dateUpdated": "2024-11-04T11:39:54.140Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47370\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T15:15:22.927\",\"lastModified\":\"2024-11-21T06:36:00.093\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: ensure tx skbs always have the MPTCP ext\\n\\nDue to signed/unsigned comparison, the expression:\\n\\n\\tinfo-\u003esize_goal - skb-\u003elen \u003e 0\\n\\nevaluates to true when the size goal is smaller than the\\nskb size. That results in lack of tx cache refill, so that\\nthe skb allocated by the core TCP code lacks the required\\nMPTCP skb extensions.\\n\\nDue to the above, syzbot is able to trigger the following WARN_ON():\\n\\nWARNING: CPU: 1 PID: 810 at net/mptcp/protocol.c:1366 mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366\\nModules linked in:\\nCPU: 1 PID: 810 Comm: syz-executor.4 Not tainted 5.14.0-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\\nRIP: 0010:mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366\\nCode: ff 4c 8b 74 24 50 48 8b 5c 24 58 e9 0f fb ff ff e8 13 44 8b f8 4c 89 e7 45 31 ed e8 98 57 2e fe e9 81 f4 ff ff e8 fe 43 8b f8 \u003c0f\u003e 0b 41 bd ea ff ff ff e9 6f f4 ff ff 4c 89 e7 e8 b9 8e d2 f8 e9\\nRSP: 0018:ffffc9000531f6a0 EFLAGS: 00010216\\nRAX: 000000000000697f RBX: 0000000000000000 RCX: ffffc90012107000\\nRDX: 0000000000040000 RSI: ffffffff88eac9e2 RDI: 0000000000000003\\nRBP: ffff888078b15780 R08: 0000000000000000 R09: 0000000000000000\\nR10: ffffffff88eac017 R11: 0000000000000000 R12: ffff88801de0a280\\nR13: 0000000000006b58 R14: ffff888066278280 R15: ffff88803c2fe9c0\\nFS:  00007fd9f866e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007faebcb2f718 CR3: 00000000267cb000 CR4: 00000000001506e0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n __mptcp_push_pending+0x1fb/0x6b0 net/mptcp/protocol.c:1547\\n mptcp_release_cb+0xfe/0x210 net/mptcp/protocol.c:3003\\n release_sock+0xb4/0x1b0 net/core/sock.c:3206\\n sk_stream_wait_memory+0x604/0xed0 net/core/stream.c:145\\n mptcp_sendmsg+0xc39/0x1bc0 net/mptcp/protocol.c:1749\\n inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:643\\n sock_sendmsg_nosec net/socket.c:704 [inline]\\n sock_sendmsg+0xcf/0x120 net/socket.c:724\\n sock_write_iter+0x2a0/0x3e0 net/socket.c:1057\\n call_write_iter include/linux/fs.h:2163 [inline]\\n new_sync_write+0x40b/0x640 fs/read_write.c:507\\n vfs_write+0x7cf/0xae0 fs/read_write.c:594\\n ksys_write+0x1ee/0x250 fs/read_write.c:647\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x44/0xae\\nRIP: 0033:0x4665f9\\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\\nRSP: 002b:00007fd9f866e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\\nRAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665f9\\nRDX: 00000000000e7b78 RSI: 0000000020000000 RDI: 0000000000000003\\nRBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038\\nR13: 0000000000a9fb1f R14: 00007fd9f866e300 R15: 0000000000022000\\n\\nFix the issue rewriting the relevant expression to avoid\\nsign-related problems - note: size_goal is always \u003e= 0.\\n\\nAdditionally, ensure that the skb in the tx cache always carries\\nthe relevant extension.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mptcp: aseg\u00farese de que los skbs tx siempre tengan la extensi\u00f3n MPTCP. Debido a la comparaci\u00f3n firmado/sin firmar, la expresi\u00f3n: info-\u0026gt;size_goal - skb-\u0026gt;len \u0026gt; 0 se eval\u00faa como verdadera cuando el tama\u00f1o objetivo Es m\u00e1s peque\u00f1o que el tama\u00f1o skb. Esto da como resultado una falta de recarga de cach\u00e9 de transmisi\u00f3n, de modo que el skb asignado por el c\u00f3digo TCP central carece de las extensiones de skb MPTCP requeridas. Debido a lo anterior, syzbot puede activar el siguiente WARN_ON(): ADVERTENCIA: CPU: 1 PID: 810 en net/mptcp/protocol.c:1366 mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366 M\u00f3dulos vinculados en: CPU: 1 PID: 810 Comm: syz-executor.4 Not tainted 5.14.0-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:mptcp_sendmsg_frag+0x1362 /0x1bc0 net/mptcp/protocol.c:1366 C\u00f3digo: ff 4c 8b 74 24 50 48 8b 5c 24 58 e9 0f fb ff ff e8 13 44 8b f8 4c 89 e7 45 31 ed e8 98 57 2e fe e9 81 f4 ff ff e8 fe 43 8b f8 \u0026lt;0f\u0026gt; 0b 41 bd ea ff ff ff e9 6f f4 ff ff 4c 89 e7 e8 b9 8e d2 f8 e9 RSP: 0018:ffffc9000531f6a0 EFLAGS: 00010216 RAX: 000000000000697f : 0000000000000000 RCX: ffffc90012107000 RDX: 0000000000040000 RSI : ffffffff88eac9e2 RDI: 0000000000000003 RBP: ffff888078b15780 R08: 0000000000000000 R09: 00000000000000000 R10: ffffffff88eac017 R11: 0000000 R12: ffff88801de0a280 R13: 0000000000006b58 R14: ffff888066278280 R15: ffff88803c2fe9c0 FS: 00007fd9f866e700(0000) GS:ffff8880b9d0000 0(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007faebcb2f718 CR3: 00000000267cb000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000 DR2: 0000000000000000 DR3: 00000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Seguimiento de llamadas: __mptcp_push_pending+0x1fb/0x6b0 net/mptcp/protocol. c:1547 mptcp_release_cb+0xfe/0x210 net/mptcp/protocol.c:3003 release_sock+0xb4/0x1b0 net/core/sock.c:3206 sk_stream_wait_memory+0x604/0xed0 net/core/stream.c:145 mptcp_sendmsg+0xc39/0x1bc0 net/mptcp/protocol.c:1749 inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:643 sock_sendmsg_nosec net/socket.c:704 [en l\u00ednea] sock_sendmsg+0xcf/0x120 net/socket.c:724 sock_write_iter+0x2a0/ 0x3e0 net/socket.c:1057 call_write_iter include/linux/fs.h:2163 [en l\u00ednea] new_sync_write+0x40b/0x640 fs/read_write.c:507 vfs_write+0x7cf/0xae0 fs/read_write.c:594 ksys_write+0x1ee/0x250 fs/read_write.c:647 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 C\u00f3digo: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0ffff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd9f866e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000056c038 RCX: 00000000004665f9 RDX: 00000000000e7b78 RSI: 0000000020000000 RDI: 00000000000000003 RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038 R13: 0000000000a9fb1f R 14: 00007fd9f866e300 R15: 0000000000022000 Solucione el problema al reescribir la expresi\u00f3n relevante para evitar problemas relacionados con los signos. Nota: size_goal siempre es \u0026gt;= 0. Adem\u00e1s, aseg\u00farese de que el skb en el cach\u00e9 tx siempre lleva la extensi\u00f3n relevante.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/977d293e23b48a1129830d7968605f61c4af71a0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f8ff625a8082db8c2b58dcb5229b27928943b94b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/977d293e23b48a1129830d7968605f61c4af71a0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/f8ff625a8082db8c2b58dcb5229b27928943b94b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.